b'March 19, 2009\n\nGEORGE W. WRIGHT\nVICE PRESIDENT, INFORMATION TECHNOLOGY OPERATIONS\n\nLYNN MALCOLM\nVICE PRESIDENT, CONTROLLER\n\nSUBJECT: Audit Report \xe2\x80\x93 Fiscal Year 2008 Information Systems General\n         Computer Controls Capping Report (Report Number IS-AR-09-005)\n\nThis report summarizes the results of our audit of information systems (IS) general\ncontrols at the XXXXX, XX; xxx xxxxx, xx; xxx xx. xxxxx, xx, Information Technology\nand Accounting Service Centers (IT/ASC) and the xxxxxxx, xx, Information Technology\nService Center (ITSC) for fiscal year (FY) 2008 (Project Number 08RD001IS000). We\nperformed this self-initiated audit as part of the FY 2008 financial statements audit. See\nAppendix A for additional information about this audit.\n\nConclusion\n\nOverall, general computer controls over selected applications, data, and the computer\ninfrastructure at the information data centers provided reasonable assurance that\ncomputer-processed data were complete, validated for accuracy, and secure. However,\nwe identified IT audit control issues that do not, alone or collectively, represent a\nsignificant risk to reliance on general computer controls. We provided\nrecommendations to address these issues during our review.\n\nThese issues were in the areas of:\n\n          \xe2\x80\xa2   xxxx xxxxxx xxxxxxxxxx, xxxxxx xxxxxxxxxx, xxxxx xxxxxxxxxxxxxx, xxx\n              xxx xxxxxxxxxx.\n          \xe2\x80\xa2   xxxxxx\xc2\xae xxxxxxx xxxxxxxx.\n          \xe2\x80\xa2   Security clearance processing.\n          \xe2\x80\xa2   Periodic application risk assessments.\n          \xe2\x80\xa2   xxxxxxxx xxxxxxx xx xxxx xxxxxx\n          \xe2\x80\xa2   xxxxxxxx xxxxxxxx plan updates.\n\nWhile conducting the audit, we identified several additional issues that required\nmanagement\xe2\x80\x99s attention. Management took action to correct each of these issues\n\x0cFiscal Year 2008 Information Systems                                                 IS-AR-09-005\n General Computer Controls Capping Report\n\n\nduring the audit; therefore, we did not make recommendations to address them. These\nissues were regarding:\n\n               \xe2\x80\xa2    Obsolete criteria in xxxxxx xxx xxxx hardening standards.\n\n               \xe2\x80\xa2    Improper settings, file ownership, and permissions associated with user\n                    accounts in the xxxx environment.\n\n               \xe2\x80\xa2    Improper access to critical and sensitive datasets in the mainframe\n                    environment.\n\nWe issued four interim reports during our review in FY 2008 to assist management in\nimproving information technology operations (ITO). See Appendix B for summaries of\nthe reports we issued.\n\nWe also summarized the status of FY 2008 and previous years\xe2\x80\x99 recommendations in\nAppendix C.1 See Table 1 in Appendix C for a list of open recommendations and\nTable 2 for a list of recommendations we have closed.\n\nThis report contains no recommendations. Management agreed with the facts as\npresented in the report. See Appendix D for management\xe2\x80\x99s comments in their entirety.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have\nquestions or need additional information, please contact Frances E. Cain, Director,\nInformation Systems, or me at (703) 248-2100.\n\n      E-Signed by Tammy Whitcomb\n    VERIFY authenticity with ApproveIt\n\n\n\n\nTammy L. Whitcomb\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\n\n\n\n1\n    The recommendations in Appendix C refer to audits of IS general controls only.\n\n\n                                                           2\n\x0cFiscal Year 2008 Information Systems            IS-AR-09-005\n General Computer Controls Capping Report\n\n\ncc: Ross Philo\n    Joseph Corbett\n    Harold E. Stark\n    Joseph J. Gabris\n    G. Dean Larrabee\n    Jo Ann E. Mitchell\n    Katherine S. Banks\n\n\n\n\n                                            3\n\x0cFiscal Year 2008 Information Systems                                                                 IS-AR-09-005\n General Computer Controls Capping Report\n\n\n                            APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe xxxxx, xxx xxxxx, xxx xx. xxxxx IT/ASCs provide computer processing and\naccounting services for the U.S. Postal Service. The xxxxxxx ITSC provides\ninfrastructure services2 for over 38,000 Postal Service locations. Each of these sites\nincludes multiple service organizations.\n\nThe xxxxx xxx xxx xxxxx IT/ASCs house these three parallel service areas:\n\n    \xe2\x80\xa2    Host Computing Services (HCS)\n\n    \xe2\x80\xa2    Integrated Business Systems Solutions Center (IBSSC)\n\n    \xe2\x80\xa2    Accounting Service Center (ASC)\n\nThe xx. xxxxx IT/ASC has a similar structure but without a xxx xxxx.\n\nxxx deploys, operates, and supports systems and applications for all business units\nwithin the Postal Service. The xxxxxx perform application development, enhancement,\nand maintenance of systems that enable the Postal Service to achieve its business\nobjectives. The ASCs are responsible for a variety of accounting and finance activities.\nThese activities include accounts payable, banking and reconciliation issues, domestic\nand international claims, money orders, daily financial reporting, and payroll and\nbenefits adjustments. All IT-related service centers report to the Vice President,\nInformation Technology Operations.3 The ASCs report to the Vice President, Controller.\n\nFinally, to facilitate the delivery of mail worldwide, the IT organization:\n\n    \xe2\x80\xa2    Maintains the Postal Service\xe2\x80\x99s computing infrastructure.\n\n    \xe2\x80\xa2    Manages the corporate-wide intranet.\n\n    \xe2\x80\xa2    Runs the systems that connect processing centers and 38,000 post offices\n         nationwide.\n\n    \xe2\x80\xa2    Controls the technology supporting 650 applications for day-to-day Postal\n         Service business, including the payroll for approximately 700,000 career\n         employees.\n\n\n2\n  Infrastructure services are those IT functions that support the overall Postal Service enterprise and include such\nareas as telecommunications, distributed computing, and IT Help Desk.\n3\n  Prior to February 25, 2008, all information technology-related service centers reported to the Vice President, Chief\nTechnology Officer (CTO). They now report to the Vice President, Information Technology Operations.\n\n\n                                                           4\n\x0cFiscal Year 2008 Information Systems                                       IS-AR-09-005\n General Computer Controls Capping Report\n\n\n   \xe2\x80\xa2   Determines the strategic direction for the agency\xe2\x80\x99s information technology.\n\n   \xe2\x80\xa2   Employs over 1,000 IT employees located across the continental U.S.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of the audit were to determine if general controls for selected\napplications, data, and computer infrastructure at the IT centers provided reasonable\nassurance that computer-processed data were complete, validated for accuracy, and\nsecure; data integrity controls were in place; and business practices complied with\nPostal Service policies, procedures, and standards. In addition, we evaluated controls\nover software, data, personnel, and physical security that affect computer systems.\n\nThe scope of our audit at the xxxxx, xxx xxxxx, xxx xx. xxxxx IT/ASCs and the xxxxxxx\nITSC included reviews of the following systems and control areas:\n\n   \xe2\x80\xa2   Security Program Planning and Management\n   \xe2\x80\xa2   Access Controls\n   \xe2\x80\xa2   Application Software Development and Change Control\n   \xe2\x80\xa2   System Software Controls\n   \xe2\x80\xa2   Corporate-Wide Security Policies and Procedures\n   \xe2\x80\xa2   Segregation of Duties\n   \xe2\x80\xa2   Service Continuity\n   \xe2\x80\xa2   Follow-Up on Prior Years\xe2\x80\x99 Recommendations\n\nIn addition, we tested the above controls as they relate to the operating systems and\ndatabase platforms for the following applications:\n\n   \xe2\x80\xa2   xxxxxxxx xxxx xxxxxxxxxx xxxxxx\n   \xe2\x80\xa2   xxxxxxxxxx xxxxxx xxxxxx\n   \xe2\x80\xa2   xxxxxxxxxx xxxxxxxxx xxxxxxxxx xxxxxx\n   \xe2\x80\xa2   xxxxx xxxxxxxxxx xxxxxxxxx\n   \xe2\x80\xa2   xxxxxxx xxxxxxxx xxxxxx\n\nTo address the audit objectives, we reviewed:\n\n   \xe2\x80\xa2   Password management practices for compliance with Postal Service standards\n       and password settings \xe2\x88\x92 including expiration intervals and password complexity\n       for normal and privileged accounts.\n\n   \xe2\x80\xa2   Mainframe and mid-range user access to commands and data to determine\n       consistency with policies and procedures.\n\n\n\n\n                                            5\n\x0cFiscal Year 2008 Information Systems                                                           IS-AR-09-005\n General Computer Controls Capping Report\n\n\n    \xe2\x80\xa2   Mainframe and mid-range logon IDs to ensure they were properly managed and\n        employees had access to appropriate Postal Service data and resources.\n\n    \xe2\x80\xa2   System controls by downloading and reviewing the appropriate settings and\n        configuration files (in some cases performing live tests to ensure that system\n        controls were effective) and interviewing IT personnel and reviewing vendor\n        documentation.\n\n    \xe2\x80\xa2   Documentation authorizing access to Postal Service systems and data to verify\n        adequate protection of Postal Service resources.\n\n    \xe2\x80\xa2   xxxxxxxx xxxxxxxxx xxxxxxxxx xxxxxx xxx xxxxxx xxxxxxxx xxxxxxxx xxxxxx xx\n        xxx xxxxxxxxx xxx xxxxxxx xx xxxxxxxx xxxxxxxxxx xxxxxx xxxxxxx xxxxxxxx x\n        xxxxxxxxx4 xxxx xxxxxx xxxxxxxxxxx xx xxxxxxx xxxxxx xxxxxxxxx, xxxx, xxx\n        xxxxxx; xxx xxxxxxxx xxxxxxxxxx xx xxxxxx xxx xxxxxxx xxxxxxxx xxxxxx\n        xxxxxxxxx xxxx xxxxxx.\n\n    \xe2\x80\xa2   Physical security procedures and practices to verify that physical access controls\n        were in place to protect Postal Service resources.\n\n    \xe2\x80\xa2   Employee and contractor files to verify that security clearances were current.\n\n    \xe2\x80\xa2   Information system policies and procedures to validate they were implemented,\n        updated, and followed.\n\n    \xe2\x80\xa2   Facility, workgroup, and application recovery plans and test documentation to\n        verify that management completed and tested service continuity plans.\n\n    \xe2\x80\xa2   System configuration reports and observed backup tape handling procedures to\n        verify management backed up critical production files and servers.\n\n    \xe2\x80\xa2   The badge access system and key control procedures at each IT/ASC to ensure\n        managers reviewed badge and key access lists and validated and documented\n        the processes.\n\nTo supplement the general computer controls audit, our Vulnerability Assessment Team\nconducted tests of selected servers and databases that support the xxxxxxxxxx xxxxxx\nxxxxxxx xxxxxx5 xxx xxx xxxxxxxxxx xxxxxxxxxxxx xxxxxx.6 These tests provided\n\n\n4\n  xxxxxxx xx xxx xxxxxxxx xxxxxxxx xxxx xxx xxxxxx xxxxxxx xxxx xx xxxxxxx xxxxxxxx xxxxxxxx xxx xxxxxxxxxx xx x\nxxxxxxxxx xxxxxxxxxxx.\n5\n  Security Vulnerability Assessment of the xxxxxxxxxx xxxxxx xxxxxxx xxxxxx (Report Number IS-AR-08-012, dated\nJune 25, 2008).\n6\n  Security Vulnerability Assessment of the xxxxxxxxxx xxxxxxxxxxxx xxxxxx xxxxxxxx (Report Number IS-CS-08-001,\ndated August 29, 2008).\n\n\n                                                       6\n\x0cFiscal Year 2008 Information Systems                                        IS-AR-09-005\n General Computer Controls Capping Report\n\n\nmanagement with an evaluation of the quality of security for servers where the selected\napplications reside.\n\nWe interviewed personnel at the various IT/ASCs to obtain relevant information and to\ncorroborate our analyses. We also collected and analyzed documentation on policies\nand procedures at these locations as they pertained to the specific areas we reviewed.\nIn general, we judgmentally selected applications for review based on financial\nsignificance, sensitivity, elapsed time since the last review, and the platforms on which\nthey reside. xxx xxxxxxxx xxx xxxx xx xxxxxxxx xxxxxxxxxxxxxxx xxxxxxxxxxxx xxxxxx\nxx xxxx xxxxxxx.\n\nWe used batch and online report tools to extract and display detailed information from\nthe mainframe, such as user access authorizations, security resource rules governing\naccess to application data sets, and system parameter settings. We used manual and\nautomated techniques to analyze computer-processed data. Based on those tests and\nassessments, we concluded these data were sufficiently reliable to meet the audit\nobjectives. We performed all system queries in a controlled environment with\nmanagement\xe2\x80\x99s full knowledge and approval.\n\nWe conducted this performance audit from October 2007 through March 2009 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives. We discussed our\nobservations and conclusions with management officials throughout the audit and again\non March 4, 2009, and included their comments where appropriate. We used data from\nvarious mainframe and distributed systems and financial applications in the course of\nconducting our audit. We performed limited testing of this information as part of our\nreview.\n\n\n\n\n                                            7\n\x0cFiscal Year 2008 Information Systems                                            IS-AR-09-005\n General Computer Controls Capping Report\n\n\nPRIOR AUDIT COVERAGE\n\n                                    Final\n                   Report          Report     Monetary\nReport Title       Number           Date       Impact            Report Results\nFiscal Year      IS-AR-08-007     March 11,   None       Overall, general computer controls\n2007                              2008                   were in place and working\nInformation                                              effectively. However, additional\nSystems                                                  controls and actions were needed\nGeneral                                                  in the areas of xxxxxx xxxxxxxx\nControls                                                 xxxxxxxx xxxxxxxx, xxxxxxx\nCapping                                                  xxxxxxxx xxxxxxxx, classification of\nReport                                                   employees in sensitive positions,\n                                                         xxxxxxxxxxx xxxxxxxx xxxxxxx,\n                                                         and key inventory management.\n                                                         This report contained no\n                                                         recommendations.\nFiscal Year      IS-AR-07-009     February    None       Overall, general computer controls\n2006                              26, 2007               were in place and working\nInformation                                              effectively. However, additional\nSystems                                                  controls and actions were needed\nGeneral                                                  in the areas of access to xxxx\nControls                                                 xxxxxxx, xxxxxx xxxxxxxx xxxxxxx,\nCapping                                                  xxxxxxxxx xxxxxxxx xxxxxxxx\nReport                                                   xxxxxxxxx xxxxxxx, xxxxxxxx\n                                                         xxxxxxxx xxxx xxxxxxxxxxx xxxxxx,\n                                                         xxxxxxxx xxx xxxxxxxxxxxxxx xx\n                                                         xxxxxxx xxx xxxxxxxx. This report\n                                                         contained no recommendations.\nFiscal Year      IS-AR-06-004     March 6,    None       Overall, general computer controls\n2005                              2006                   were in place and working\nInformation                                              effectively. However, additional\nSystems                                                  controls and actions were needed\nGeneral                                                  in the areas of xxxxxx xx xxxxxxxx\nControls                                                 xxxxxxxxx; xxxxxxxxx xxxxxx\nCapping                                                  xxxxxxxxxx xxx xxxx xxxxxx\nReport                                                   xxxxxxxx; xxxxxxxxx xxxxxxx\n                                                         xxxxxxxxxx; xxxxxxxx xxx\n                                                         xxxxxxxxxx xxxxxxx xxx xxxxxxxxx\n                                                         xxxxxxxxx; xxxxxx xxxxxx xx\n                                                         xxxxxxxxxxxx xxxxxxxxx;\n                                                         xxxxxxxxxx xxx xxxxxxxx xx xxxxx\n                                                         xxxxxx xxxxxxx; xxxxxx xxxxx\n                                                         xxxxx; xxx xxx xxxxxxxxx xxxxxxx\n                                                         xxxxxxxxx xxxxxxxxxxxxxxxxxx xxx\n                                                         xxxxxxxx xxxxxxxx xxxxxxxx. xx\n                                                         xxxx xxxxxxxxxx x xxxxxxxx xxxxx\n                                                         xxxxxxxxx xxxxxxxxxxxxx xxxxxx\n                                                         xx xxxxxx xxxxxxx xxxx xxx\n                                                         xxxxxxxxx. This report contained\n                                                         no recommendations.\n\n\n\n                                               8\n\x0cFiscal Year 2008 Information Systems                                        IS-AR-09-005\n General Computer Controls Capping Report\n\n\n\n                    APPENDIX B: SUMMARY OF REPORTS ISSUED\n\nSystem Software Controls at the xxxxx, xxxxxxxxx xxx xxx xxxxx, xxxxxxxxxx\nInformation Technology and Accounting Service Centers for FY 2008 (Report Number\nIS-AR-08-011, dated June 3, 2008).\n\nThis report presented the results of our audit of system software controls at the xxxxx\nxxx xxx xxxxx IT/ASCs. The objective of this audit was to determine if management\nestablished a framework and continuing cycle of activity for limiting access to system\nsoftware, monitoring access to and the use of system software, and controlling system\nsoftware changes. Overall, management adequately configured data systems and\nplatforms to optimize security and appropriately manage risks for the selected\napplications that we reviewed. xxxxxxx, xxx xxxx xxxxxxxxxxxxxx xxx xxx xxxxxx\nxxxxxx xxxxxxxxx xxxxxxx xxx xxxxxxx xxxxxxxxxxxx xxxxxxxxxx xx xxxxxx xxxxxxxx\nxxxxxxx xxxxxxxx xx xxxxxxxx xxxxxxxxxxxxxx. xx xxxxxxxx, xxxx xxxxxxxxxxxxxx xxx\nxxx xxxxxxxx xxx xxx xx xxxxx xxxxxxxx xxx xxx xxx xxxxxxxxxxxx xxxxxx xxx xxxxxx\nxxxx xxx xxxxxxxxxx xx xxxxxxxx xxx xxxxxxx.\n\nWe provided three recommendations to (1) develop procedures to ensure xxxx\nadministrators review exception reports and timely correct xxxx server settings\ndeficiencies to comply with hardening standards; (2) update xxxx hardening standards\nto add applicable audit features and to specify log review and retention requirements;\nand (3) implement xxxx system audit features and log review and retention\nrequirements as specified in the revised hardening standards. In addition, management\nhad corrected, or was in the process of correcting, other minor issues that we identified\nduring the review concerning obsolete criteria in the xxxxxx xx xxxx hardening\nstandards, awareness of the existence of the Postal Service\xe2\x80\x99s xxxx hardening\nstandards, and obsolete and outdated information regarding administering and installing\nsoftware patches in a xxxx environment.\n\nAccess Controls at the xxxxx, xxxxxxxxx; xxx xxxxx, xxxxxxxxxx; xxx xx. xxxxx, xxxxxxx\nInformation Technology and Accounting Service Centers for Fiscal Year 2008 (Report\nNumber IS-AR-08-015, dated August 15, 2008).\n\nThis report presented the results of our audit of access controls at the xxxxx, xxx xxxxx,\nxxx xx. xxxxx IT/ASCs. The objective of this audit was to determine whether the Postal\nService had adequate controls to limit or detect access to its information resources\n(data, programs, equipment, and facilities) and protect these resources against\nunauthorized (accidental or intentional) modification, loss, damage, or disclosure.\nOverall, physical access controls for IT facilities and logical access controls xxx\nxxxxxxxxx, xxxx, xxxxxxx, xxx xxxxxxxx xxxxxxxxx were in place and functioning\nadequately. However, our testing identified opportunities to improve compliance with\nthese controls. xxxxxxxxxxxx, xxxxxxxxxx xxxxx xxxxxxx xxxxxxx xxxxxx xxxxxxxx xx\nxxxxxxxx xxxx xxxxxxxx xx xxxxxxxxxx xxx xxxxxxxxxxx xxxxxxxxx xxxx xxxxxx xxxx\n\n\n                                            9\n\x0cFiscal Year 2008 Information Systems                                            IS-AR-09-005\n General Computer Controls Capping Report\n\n\nxxxxxx, xxxxxxxxx xxxxxx xxxxxxxx xx xxxxxx xxxxxxxx, xxx xxxxxxxxx xxxxxxxx\nxxxxxxxxx xxxxxxxxxxxx xxx xxx xxxxxx xxxxxxxxx. xx xxxx x xxxxxxxxxxxxxx xx\nxxxxxxx xx xxxxxxxxx xxxxxxxxx xx xxxxxxxx xxx xxxxxx xxxx xxxxxxxx xx xxxxxxxxxx\nxxx xxxxxxxxxxx xxxxxxxxx xxx xx xxxxxx xxxx xxxxxx xxxx xxxx xxxxxx xx xxxxxxx. xx\nxxxx xxxx x xxxxxxxxxxxxxx xx xxxxxxx xx xxxxxxxxx xxxxxxxxx xx xxxxxxxxxxxx\nxxxxxx xxxxxx xxxx xxxxxxxx xx xxxxxx xxxx xx xxx xxxxxxx xxx xxxxxxx xxxxxxx.\n\nSecurity Policies and Procedures (Corporate-Wide) at the Information Technology and\nAccounting Service Centers for Fiscal Year 2008 (Report Number IS-AR-09-002, dated\nNovember 13, 2008).\n\nThis report presented the results of our audit of corporate-wide security planning and\nprogram management at the Postal Service\xe2\x80\x99s IT/ASCs located in xxxxx, xx, xxx xxxxx,\nxx, xxx xx. xxxxx, xx. The objectives were to determine whether management\nestablished a framework and continuing cycle of activity for assessing risk, developing\nand implementing effective security procedures, and monitoring the effectiveness of\nthese procedures. Overall, management established information security policies and\nprocedures to protect critical and sensitive information resources. These included, but\nwere not limited to, xxxxxxxxxxxx xxx xxxxxxxxxx xx x xxxxxxxx xxxxxxxxxx xxxxxxxxx\nxxx xxxxxxxxx xxxxxxxx xxxxxxxxxx xx xxxxxx xxx xxxxxxxxxxx xxxxxxxxx.\n\nHowever, our review identified opportunities to improve compliance with these policies\nand procedures. Specifically, management could improve controls by initiating security\nclearance processing for all employees occupying sensitive positions. In addition,\nxxxxxxxxxx xxxxx xxxxxxx xxxxx xxxxxxxxxxxxxx xx xxxxxxx xxx xxxxxxxxxxxxxxx xx\nxxxxxxxxx xxxxxxxxx xx xxxxxxxxxx xxxxxxxx xxxxxxxxxxx xxxx xxxxxxxxxxx. We\nprovided four recommendations to: (1) develop a process to ensure security clearances\nare initiated for individuals in positions classified as sensitive; (2) provide reports to the\nSecurity Control Officer on a semiannual basis to track the security clearance status of\nemployees in sensitive positions at the xxxxx, xxx xxxxx, xxx xx. xxxxx IT/ASCs;\n(3) perform risk reassessments on the six applications reviewed during this audit; and\n(4) establish milestones to review all sensitive and critical applications for current risk\nassessments and complete the reassessments on those applications that are not\ncurrent. In addition, management took corrective action to initiate nine security\nclearances we identified as missing during the audit.\n\nService Continuity at the Information Technology and Accounting Service Centers for\nFiscal Year 2008 (Report Number IS-AR-09-003, dated January 20, 2009).\n\nThis report presented the results of our audit of service continuity at the xxxxx, xx, xxx\nxxx xxxxx, xx, IT/ASCs. The objective of this audit was to determine whether service\ncontinuity controls were in place to minimize the risk when unexpected events occur\nand to ensure critical operations continue without interruption or can be resumed within\na reasonable amount of time. Overall, management adequately developed the\ninfrastructure and service continuity processes and procedures to maximize the\n\n\n                                              10\n\x0cFiscal Year 2008 Information Systems                                         IS-AR-09-005\n General Computer Controls Capping Report\n\n\navailability of critical Postal Service operations while minimizing potential risks for\nservice interruption. The Postal Service was undergoing significant changes in the\ncomputing infrastructure, including virtualization and replication. To further minimize the\nrisk of service disruption, management could improve processes xxx xxxxxxxx xxxxxxx\nxx xxxx xxxxx xxx xxxxxxxxxx xxx xxxxxxxx xxxxxxxx xxxxxxx xxxxxxx xx xxx xxx xxxxx\nIT/ASC. We made two recommendations to management that included designating\npersonnel responsible for administering the backup process for the xxx xxxxx xxx\nCenter and implementing procedures to ensure xxxx backup tapes were stored off-site.\nAdditionally, we made two recommendations to management that included clarifying the\nresponsibility for maintaining, administering, and updating the xxxxxxxx xxxxxxxx plan\nfor xxx xxxxx.\n\n\n\n\n                                            11\n\x0cFiscal Year 2008 Information Systems                                                             IS-AR-09-005\n General Computer Controls Capping Report\n\n\n                                   APPENDIX C: ACTION ON PRIOR YEAR RECOMMENDATIONS\n\nTable 1: Open Recommendations\n\n                                                                                                                Responsible Organizations\n    Report          Recommendation\n                                                         Description                    CTO/     xxx8     xxx    xxx9 xxx10    USPIS11    ERM12          Controller\n    Number              Number\n                                                                                        ITO7\nIS-AR-07-01713             1(S)14          Assess the risk of all IT/ASC positions        x                                            x           x         x\n                                           (career and non-career) for the\n                                           purpose of assigning them as\n                                           sensitive.\n                             2             Establish a requirement to periodically        x                                            x           x         x\n                                           reassess the risk of sensitive\n                                           positions to determine if they should\n                                           retain the designation.\n                             3             Establish a central location to                x                                            x           x         x\n                                           maintain an official list of sensitive\n                                           positions by occupation code, title,\n                                           and job description.\n                            4(S)           Notify the Postal Inspection Service           x                                            x           x         x\n                                           when management creates a new\n                                           IT/ASC position, hires a new\n                                           employee, or promotes an employee\n                                           to a new position to make certain the\n                                           proper clearance level is attributed to\n                                           the employee.\n\n\n\n\n7\n  Vice President, CTO. The Postmaster General replaced the CTO position on February 25, 2008, with the ITO position.\n8\n  IT/ASC, xxxxx, xx.\n9\n  IT/ASC, xx. xxxxx, xx.\n10\n   ITSC, xxxxxxx, xx.\n11\n   U,S. Postal Inspection Service.\n12\n   Employee Resources Management.\n13\n   Separation of Duties at the xxxxx, xxxxxxxxx; xxx xxxxx, xxxxxxxxxx; xxx xx.xxxxxx, xxxxxxxx Information Technology and Accounting Service Centers,\ndated August 29, 2007.\n14\n   (S) = Significant.\n                                                                              12\n\x0c  Fiscal Year 2008 Information Systems                                                           IS-AR-09-005\n   General Computer Controls Capping Report\n\n\n  Table 1: Open Recommendations (cont.)\n\n                                                                                                              Responsible Organizations\n                  Recommendation\nReport Number                                          Description                   CTO/                                                               Corporate\n                      Number                                                                    xxx      xxx      xxx      xxx     USPIS      ERM\n                                                                                      ITO                                                              IT Portfolio\nIS-AR-07-017                5            Amend the Administrative Support                                                             x\n(cont.)                                  Manual to designate the Chief\n                                         Inspector as responsible for defining\n                                         the criteria for identifying sensitive\n                                         positions, to specify the criteria for\n                                         designating a position as sensitive,\n                                         and to update the list of position types\n                                         requiring a sensitive clearance.\nIS-AR-08-01115            1(S)           Develop procedures to ensure xxxx              x        x        x\n                                         xxxxxxxxxxxxxx xxxxxx xxxxxxxxx\n                                         xxxxxxx xxx xxxxxx xxxxxxx xxxx\n                                         xxxxxx xxxxxxxx deficiencies to\n                                         comply with hardening standards.\n                            2            Update xxxx hardening standards to             x        x        x\n                                         add applicable audit features and to\n                                         specify log review and retention\n                                         requirements.\n                            3            Implement xxxx system audit features           x        x        x\n                                         and log review and retention\n                                         requirements as specified in the\n                                         revised hardening standards.\n\n\n\n\n  15\n    System Software Controls at the xxxxx, xxxxxxxxx xxx xxx xxxxx, xxxxxxxxxx Information Technology and Accounting Service Centers for Fiscal Year 2008,\n  dated June 3, 2008.\n                                                                             13\n\x0c  Fiscal Year 2008 Information Systems                                                             IS-AR-09-005\n   General Computer Controls Capping Report\n\n\n          Table 1: Open Recommendations (cont.)\n\n                                                                                                                 Responsible Organizations\n                  Recommendation\nReport Number                                            Description                     CTO/                                                             Corporate\n                      Number                                                                      xxx       xx       xxx     xxx      USPIS      ERM\n                                                                                         ITO                                                             IT Portfolio\nIS-AR-08-01516              1            Develop an xxxxxxxxx xxxxxxxxx xx                 x        x\n                                         xxxxxxxx xxx xxxxxx xxxx xxxxxxxx xx\n                                         xxxxxxxxxx xxx xxxxxxxxxxx xxxxxxxxx\n                                         xxx xx xxxxxx xxxx xxxxxx xxxx xxxx\n                                         groups.\n                            2            Develop an automated procedure to                 x                                   x\n                                         periodically review xxxx xxxxxxxx xx\n                                         xxxxxx xxxx xx xxx xxxxxxx xxx xxxxxxx\n                                         xxxxxxx.\nIS-AR-09-00217              2            Provide reports to the Security Control                                                                   x\n                                         Officer on a semiannual basis to track the\n                                         security clearance status of employees in\n                                         sensitive positions at the xxxxx, xx; xxx\n                                         xxxxx, xx; xxx xx. xxxxx, xx IT/ASCs.\n                            3            Perform risk reassessments on the six             x\n                                         applications reviewed during this audit.\n                            4            Establish milestones to review all                x\n                                         sensitive and critical applications for\n                                         current risk assessments and complete\n                                         the reassessments on those applications\n                                         that are not current.\n\n\n\n\n  16\n     Access Controls at the xxxxx, xxxxxxxxx; xxx xxxxx, xxxxxxxxxx; xxx xx. xxxxx, xxxxxxxx Information Technology and Accounting Service Centers for Fiscal\n  Year 2008, dated August 15, 2008.\n  17\n     Security Policies and Procedures (Corporate-Wide) at the Information Technology and Accounting Service Centers for Fiscal Year 2008, dated\n  November 13, 2008.\n                                                                                14\n\x0c  Fiscal Year 2008 Information Systems                                                               IS-AR-09-005\n   General Computer Controls Capping Report\n\n\n\n             Table 1: Open Recommendations (cont.)\n\n                                                                                                                   Responsible Organizations\n                     Recommendation\nReport Number                                              Description                     CTO/                                                       Corporate\n                         Number                                                                      xxx      xx       xxx     xxx     USPIS   ERM\n                                                                                           ITO                                                       IT Portfolio\nIS \xe2\x80\x93AR-09-00318               1            Designate personnel responsible for               x\n                                           administering the xxxxxx xxxxxxx xxx xxx\n                                           xxx xxxxx xxx xxxxxx.\n                             2(S)          Implement procedures to ensure xxxx                x\n                                           xxxxxx xxxxx xxx xxxxxx xxxxxxxx.\n                              3            Clarify the responsibility for maintaining         x\n                                           and administering the xxxxxxxx xxxxxxxx\n                                           xxxx xxx xxx xxx xxxxx IT/ASC.\n                              4            Update the xxxxxxxx xxxxxxxx xxxx xxx              x\n                                           xxx xxx xxxxx IT/ASC.\n\n\n\n\n  18\n       Service Continuity at the Information Technology and Accounting Service Centers for Fiscal Year 2008, dated January 20, 2009.\n                                                                                15\n\x0c  Fiscal Year 2008 Information Systems                                                          IS-AR-09-005\n   General Computer Controls Capping Report\n\n\n\n  Table 2: Closed Recommendations\n\n                                                                        Responsible Organization\n  Report Number              Recommendation Number\n                                                                     CTO       xxx      xx     xxx     xxx     ERM\n               19\nIS-AR-07-018                                 1                         x        x       x\n                                             3                         x        x       x\nIS-AR-08-00220                               1                         x                                x\n                                            2(S)                       x                        x\n                                             3                         x\n                                            5(S)                       x                                x\nIS-AR-09-002                                 1                                                                  x\n\n\n\n\n  19\n     xxxxxxxx xxxxxxxx xxxxxxx xxx xxxxxxxx xxxxxx xxxxxxx xxxxxxxxxxxx xx xxx xxxxx, xxxxxxxxx xxx xxx xxxxx,\n  xxxxxxxxx Information Technology and Accounting Service Centers for Fiscal Year 2007, dated September 14, 2007.\n  20\n     Information System Access Controls at Selected Information Technology Facilities for Fiscal Year 2007, dated\n  November 6, 2007.\n\n\n                                                        16\n\x0cFiscal Year 2008 Information Systems                      IS-AR-09-005\n General Computer Controls Capping Report\n\n\n                      APPENDIX D: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                            17\n\x0c'